France

[FR] Right to be forgotten: CNIL fines Google 100 000 euros for failing to dereference from its entire search engine

IRIS 2016-5:1/13

Amélie Blocman

Légipresse

In May 2015, further to the Costeja decision delivered on 13 May 2014, the Chair of the National IT and Freedom Commission (Commission Nationale Informatique et des Libertés - CNIL) ordered Google Inc. to carry out dereferencing on all the extensions of Google Search within a period of fifteen days. As this was not done within the given time, the Chair of the CNIL instituted sanction proceedings.

The authority’s restricted formation found that the 1978 Information Technology and Freedoms Act was applicable to all processing connected with the Google Search service, as had the Court of Justice of the European Union (CJEU). Furthermore, it was within the CNIL’s remit to determine how dereferencing was to be carried out, since the processing at issue was to be implemented “over all or part of the national territory, even if the entity in charge of the processing [was] established in the territory of another member State” (Article 48 of the 1978 Act). The CNIL also recalled that the right to be dereferenced, derived from the right to oppose data and the right to have data deleted, was attached to the person in question. Where the right was to be applied, it ought to be effective with no restriction and in respect of all processing, even if this would entail conflict with foreign rights. Lastly, the CNIL stated that the decision to dereference was made after an assesment of proportionality, intended to preserve a strict balance between the respect of entitlement to privacy and data protection on the one hand, and the public’s interest in having access to information on the other. Thus the CNIL found that limiting dereferencing to Google’s European extensions was firstly unfounded and secondly insufficient, as the dereferenced data could be accessed via the search engine’s non-European extensions. The CNIL concluded that only dereferencing over the entire search engine could provide effective protection for personal rights. After the CNIL’s deadline for compliancy expired, Google had undertaken to improve its dereferencing arrangements. The CNIL found the proposed solution, which consistied of arranging filtering according to the geographical origin of the person using the search engine, incomplete and deemed that it was not sufficient to ensure full compliance with either its order or Articles 38 and 40 of the Information Technology and Freedoms Act. The CNIL therefore fined Google 100 000 euros.